On April 28, 2015, the U.S. Securities and Exchange Commission’s Division of Investment Management (the “Division”) issued a Guidance Update to investment and fund advisers on the topic of improving cyber security. While it is titled only as “Guidance”, firms and individuals who are subject to SEC regulations should pay close heed to the spirit, if not the letter of the cyber security best practices discussed in the Update.
To provide a context for the Update, the Division notes that, “cyber attacks on a wide range of financial services firms highlight the need for firms to review their cyber security measures.” Beyond that, the evolving nature of cyber attacks, with new threat vectors, automated botnets and a relentless cyber criminals should give all web-connected businesses reason to constantly monitor, assess and upgrade their cyber security.
In the Guidance Update, the Division set forth the following measures. None are ground-breaking, and many firms likely already employ them in some form or another.
Conduct Periodic Assessments to Identify Threats and Vulnerabilities
Firms should conduct a periodic assessment of:
- The nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- Internal and external cyber security threats to and vulnerabilities of the firm’s information and technology systems;
- Security controls and processes currently in place;
- The impact, should the information or technology systems become compromised; and
- The effectiveness of the governance structure for the management of cyber security risk.
The point of these assessments is to identify potential threats and vulnerabilities in order to allow a firm to better prioritize and mitigate those risks.
Develop a Cyber Security Strategy to Prevent, Detect and Respond to Threats
Firms should create a strategy that is designed to prevent, detect and respond to cyber security threats. Such a strategy could include:
- Controlling access to various systems and data via user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening;
- Data encryption;
- Protecting against the loss or exfiltration of sensitive data by restricting the use of removeable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- Data backup and retrieval; and
- Development of an incident response plan.
As with any strategies or plans, regular testing can enhance their effectiveness.
Implement the Strategy Through Written Policies and Procedures and Training
Firms should implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats, and measures to prevent, detect and respond to such threats, and that monitor compliance with cyber security policies and procedures.
The Division also noted that, “funds and advisers should identify their respective compliance obligations under the federal securities laws an take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.”
The SEC’s message is clear: to the extent that cyber attacks can impact a firm’s ability to be in compliance with federal securities laws, the firm needs to recognize that risk and take the necessary steps to mitigate it. Failure to develop and implement a robust cyber security strategy will not be an excuse for compliance failures resulting from successful cyber attacks.
Not coincidentally, this Guidance Update comes less than two months after the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published its own “Cybersecurity Examination Sweep Summary” with an assessment of the cyber-attack vulnerability of broker-dealers and registered investment advisers from a cross-section of the financial services industry. Our post about that OCIE summary can be found here.
This will not be the last word on cyber security from the SEC. In fact, the Division noted in the Update that it will continue to focus on cyber security and monitor events in the area, given the rapidly changing nature of cyber threats